Privacy Class Action Dismissed for P.F. Chang’s

P.F. Chang’s has a reason to celebrate this holiday season: A judge recently dismissed a data breach class action lawsuit against the Chinese-inspired food restaurant chain citing the failure of the two plaintiffs in describing any injury for which relief could be granted. The ruling itself is available here.

In the action, the plaintiffs John Lewert and Lucas Kosner filed a class action complaint against P.F. Chang’s arising from a data breach involving theft of customers’ credit card and debit card data. The plaintiffs alleged that P.F. Chang’s had failed to comply with reasonable security standards arising from the data breach, which one report estimated that nearly seven million cards were compromised as a result of the breach, dating as far back as September 18, 2013.

Following the discovery by the U.S. Secret Service of the data compromise, it was confirmed by P.F. Chang’s that identity thieves had used personal identifying data to steal individual’s identities and open financial accounts and receive government benefits under those names, inter alia.

In the lawsuit, the plaintiffs had alleged that they incurred several types of damages in that they overpaid for products/services purchased from P.F. Chang’s, which included overpayment for putative compliance with industry standard measures for the collection and safeguarding of personally identifiable information. The plaintiffs also claimed that they had suffered actual damages from monetary losses arising from unauthorized bank account withdrawals and/or related bank fees. The plaintiffs further claimed damages arising from costs associated with identity theft and the increased risk of identity theft, and claimed opportunity cost and value of time spent monitoring financial and bank accounts, including the cost of obtaining replacement cards.

In ruling on P.F. Chang’s motion to dismiss, the court did not deny there was a theft of customers’ credit card information from the security breach. However, the court relied on authority that future injury regarding the release of data is not a current injury in fact. Accordingly the court ruled that the plaintiffs had suffered no injury and found unconvincing the argument that the plaintiffs had been overcharged since there was no indication that P.F. Chang’s had charged more for people who paid via credit/debit cards as compared to those who paid by cash.

The court also ruled that there was no economic injury involved with the time the plaintiffs incurred to replace any credit card and so no opportunity costs or damages arose from this aspect.  Finally, the court held that a party cannot manufacture standing unless they can show that the harm of identity theft is imminent. The court found that the potential threat of identity theft was eliminated after the customers in this case cancelled the cards that were involved in the security breach.

This ruling is being appealed to the Seventh Circuit. We will continue to monitor the impact of this ruling on future data breaches involving similar factual and legal issues.

Image courtesy of Flickr by Mark Crawley

With Data Breach Class Actions on the Rise, Clapper Provides a Viable Defense

With recent data breaches at Home Depot, Target, Jimmy John’s, eBay, Neiman Marcus, P.F. Chang’s, Goodwill Industries, CNET, and others, there has been a resultant explosion of cybersecurity litigation.  Despite the rise in this area of litigation, data breach lawsuits still have to overcome a major hurdle – the standing requirement enunciated in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013).

In Illinois, a number of such lawsuits were filed in the wake of Advocate Medical Group’s revelation that four laptops were stolen from its offices, containing the unencrypted personal health information of more than 4 million patients.  In one such putative class action, Vides v. Advocate Health and Hospitals Corp., the state court followed the rationale of Clapper in rejecting the plaintiffs’ argument that an increased risk of identity theft is sufficient in and of itself to satisfy the “injury-in-fact” requirement necessary to establish standing.

In Vides, the plaintiffs’ theories of liability included common law negligence, violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, violation of the Illinois Personal Information Protection Act, public disclosure of private facts, and intentional infliction of emotional distress.  The court found that none, including the purported statutory violations, were adequate to confer plaintiffs standing, and that the damages asserted were too speculative to establish an injury in fact.  In coming to that conclusion, Judge Mitchell Hoffman reasoned that there are a number of variables that would have to be answered in the affirmative to establish an injury in fact, such as whether a person’s data was actually taken, whether that data was sold or transferred, whether anyone attempted to use the person’s data, and whether they succeeded in using it.  Because the plaintiffs could not allege that a threatened injury was certain as a result of the breach, the suit was dismissed in its entirety.

In coming to this ruling, the court noted that courts across the country had rejected the argument that risk of harm could equate to an injury in fact sufficient to satisfy Article III of the U.S. Constitution.  In its survey of law on data breach class actions across the country, the court also distinguished Seventh U.S. Circuit Court of Appeals decisions holding that the mere increased risk of identity theft was sufficient to confer standing, since these decisions predated Clapper.  Therefore, Clapper remains a tenuous obstacle for data breach lawsuits to overcome.

While the Clapper decision provides an excellent defense to data breach lawsuits, cybersecurity litigation remains on the rise.  As such, companies should continue to be proactive in assessing their internal systems and procedures to prevent any data breaches from occurring.

Image courtesy of Flickr by Mike Mozart